Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Security Issue with Servlets and *.do  RSS feed

 
Bjorn Stove
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi.
I have a webapplication that under its context has two diffenent
maps, one is admin and the other one is user.
I use an ActionRouter and has actions like list-clients.do.
The admin map is restricted area described in web.xml.
You have to be in AdminRole to get access.

My problem is that if I log in as user, I can "shot" actions commands
like list-clients.do from the user area and Servlet maps to the proper
jsp that is in the admin map. When I then try isUserInRole and so on
there is only a quetstionmark. If I run from admin area the isUserInRole
knows who is logged in.
PS. I put in the list-clients.do in the url like: http://myplace.com/users/list-clients.do and servlet reply with jsp from
admin area.
Anybody know why not the restricted area declared in the web.xml file
works during that condition, and how to solve this?
Many Thanks
Bjorn
 
Jesus Angeles
Ranch Hand
Posts: 2069
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
most likely your mapping, i think, would you mind posting your dd here. if it is too big, just the concern servlet/servlet mapping/security entry/role...only those concerned with your current problem....better if you post the whole dd
 
Bjorn Stove
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Heres my web.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<filter>
<filter-name>loginfilter</filter-name>
<filter-class>argus.web.util.LoginFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>loginfilter</filter-name>
<url-pattern>/admin/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>loginfilter</filter-name>
<url-pattern>/user/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>action</servlet-name>
<servlet-class>argus.web.servlet.ActionServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>setup</servlet-name>
<servlet-class>argus.web.servlet.SetupServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>action</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>0</session-timeout>
</session-config>
<security-constraint>
<display-name>ArgusAdmin</display-name>
<web-resource-collection>
<web-resource-name>AdminAdaptor</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ArgusAdmin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>ArgusUser</display-name>
<web-resource-collection>
<web-resource-name>UserAdaptor</web-resource-name>
<url-pattern>/user/*</url-pattern>
<url-pattern>/index.htm</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ArgusAdmin</role-name>
<role-name>ArgusUser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.htm</form-login-page>
<form-error-page>/loginError.htm</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>ArgusAdmin</role-name>
</security-role>
<security-role>
<role-name>ArgusUser</role-name>
</security-role>
</web-app>

Regards
Bjorn
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!